README
¶
GoVPN
GoVPN is a modern evolution of OpenVPN, implemented in Go with a focus on compatibility, performance, and security.
Project Vision
GoVPN aims to evolve OpenVPN, preserving its time-tested concepts while addressing its shortcomings:
- Compatibility with the OpenVPN ecosystem - support for existing clients and configurations
- High performance - optimized implementation in Go
- Modern security - OIDC, MFA, LDAP integration, and modern cryptography
- Deployment flexibility - from single installations to Kubernetes clusters
- Ease of management - powerful CLI, REST API, and web panel while maintaining familiar configuration
- Advanced traffic obfuscation - built-in anti-censorship capabilities
Current Status
Phase 1: COMPLETED - Basic functionality and OpenVPN compatibility
Phase 2: COMPLETED - Configuration system, obfuscation, authentication, testing
Phase 3: COMPLETED - Scaling, monitoring, and production readiness
Web Interface: COMPLETED - Full-featured administrative panel
Latest Achievements
Production-Ready Monitoring and Scaling (Phase 3)
- Prometheus Metrics - comprehensive metrics collection (40+ metric types)
- Structured Logging - JSON, Text, and OpenVPN-compatible formats with log rotation
- Alert System - automated notifications with customizable rules and cooldowns
- Performance Monitoring - system resources, goroutines, memory, and CPU tracking
- Grafana Dashboards - ready-to-use panels for all VPN server aspects
- Kubernetes Deployment - complete manifests with auto-scaling and load balancing
- High Performance - optimized monitoring with minimal overhead (555ns/op for metrics)
- Production Documentation - comprehensive guides for deployment and troubleshooting
Full-Featured Web Interface
- React + TypeScript - modern architecture with Material-UI design
- Internationalization - complete support for Russian and English languages
- User Management - CRUD operations with roles and statuses
- Real-time Monitoring - server statistics and connections
- Certificate Management - creation, viewing, revocation of certificates
- Authentication System - JWT tokens and secure sessions
- Responsive Design - optimization for all devices
- API Client - typed integration with backend
- Development API Server - mock API for interface development
Comprehensive Configuration System
- Enhanced configuration parser - support for 80+ new parameters with OpenVPN compatibility
- Modular configuration files - organized auth.conf, mfa.conf, oidc.conf, ldap.conf, obfuscation.conf
- Priority system - proper OpenVPN-like precedence (config file → command line → defaults)
- 8 ready-made configurations - from basic to enterprise scenarios with detailed examples
Full Authentication System
- Basic authentication - modern hashing algorithms Argon2/PBKDF2
- Multi-factor authentication - complete TOTP/HOTP support with backup codes
- LDAP integration - support for Active Directory, OpenLDAP, FreeIPA, 389 Directory, Oracle Internet Directory
- OIDC integration - works with Keycloak, Google Workspace, Azure AD, Auth0, Okta, GitLab
Comprehensive Obfuscation System
- Modular obfuscation system with 9 methods (TLS Tunnel, HTTP Mimicry, DNS Tunnel, XOR, Obfsproxy, etc.)
- OpenVPN obfsproxy compatibility - Direct integration with OpenVPN obfsproxy plugins
- Anti-statistical analysis - Packet Padding, Timing Obfuscation, Traffic Padding, Flow Watermarking
- Steganography methods - HTTP Cover Traffic, DNS Tunneling
- Regional profiles for China, Iran, Russia with adaptive switching
Web Interface
Starting Development Environment
- Launch Development API Server:
# Build and run API server with mock data
go build -o govpn-dev-api ./cmd/dev-api
./govpn-dev-api -port 8080 -host 127.0.0.1
- Launch Web Interface:
cd web
npm install
npm run dev
# Open http://localhost:5173
Available API Endpoints
Development API server provides:
GET /api/v1/status- server statusGET /api/v1/users- list usersPOST /api/v1/users- create userGET|PATCH|DELETE /api/v1/users/{id}- user operationsGET /api/v1/clients- active connectionsGET /api/v1/certificates- certificate managementGET /api/v1/config- server configurationGET /api/v1/logs- system logs
Web Interface Features
- Internationalization: 483 lines of translations for Russian and English languages
- Modern Material-UI design: cards, chips, dialogs, snackbars
- Typed API client: full TypeScript integration
- Responsiveness: optimization for desktop and mobile devices
- Security: JWT authentication and protected routes
Architecture
┌──────────────────┐
│ Web Dashboard │
│ (React + TS) │
│ Port: 5173 │
└─────────┬────────┘
│ HTTP API
│
┌────────┴────────┐
│ REST API │
│ Port: 8080 │
│ /api/v1/* │
└────────┬────────┘
│
┌──────────────┴──────────────┐
│ │
┌─────────┴─────────┐ ┌─────────┴──────────┐
│ Development API │ │ Production VPN │
│ (Mock Data) │ │ Server │
│ cmd/dev-api │ │ cmd/server │
└───────────────────┘ └────────────────────┘
Key Features
Implemented
- Complete Configuration System - Enhanced OpenVPN config parser with 80+ new parameters
- Authentication System - Local, MFA, LDAP, OIDC with standard libraries
- Traffic Obfuscation - 9 methods with anti-detection and regional profiles
- OpenVPN Compatibility - Protocol and configuration support
- Modern Cryptography - TLSv1.3, AES-GCM, ChaCha20-Poly1305
- REST API - Complete server management interface
- Certificate Management - Full PKI support
- Web Interface - Modern React-based administrative panel
- Production Monitoring - Prometheus metrics, structured logging, Grafana dashboards
- Kubernetes Deployment - Complete manifests with auto-scaling and load balancing
- Alert System - Automated notifications with customizable rules and cooldowns
- Performance Optimization - High-performance monitoring (555ns/op for metrics)
In Development
- PostgreSQL integration for enterprise deployments
- Clustering and high availability
- Advanced user provisioning
Requirements
- Go 1.24.2 or higher
- Node.js 18+ and npm (for web interface development)
- (Optional) PostgreSQL 15 or higher for enterprise features
- Network access for LDAP/OIDC providers (if used)
Quick Start
Prerequisites
- Docker and Docker Compose
- Go 1.21 or later (for building from source)
- Linux/macOS/Windows
- For obfsproxy support: obfsproxy or obfs4proxy installed
Docker Quick Start (Recommended)
# Clone the repository
git clone https://github.com/atlet99/govpn.git
cd govpn
# For quick demo with mock API
docker-compose -f docker/docker-compose.demo.yml up -d
# For testing real VPN server
docker-compose up -d
# For production with full infrastructure
cd docker && docker-compose up -d
Access services:
- Demo: Web UI at http://localhost:3000, Mock API at http://localhost:8080
- Real VPN: VPN at udp://localhost:1194, API at http://localhost:8081, Web at http://localhost:3000
- Production: Full infrastructure with Keycloak, monitoring, etc.
See Docker Configurations for detailed information.
Manual Installation
# Clone the repository
git clone https://github.com/atlet99/govpn.git
cd govpn
# Build the server
go build -o govpn-server ./cmd/server
# Build the client
go build -o govpn-client ./cmd/client
# Build development API server
go build -o govpn-dev-api ./cmd/dev-api
Installation Check
# Check if obfsproxy is installed and working
./scripts/check_obfsproxy.sh
# Install obfsproxy if needed (macOS)
brew install obfs4proxy
# Install obfsproxy if needed (Ubuntu)
sudo apt-get install obfsproxy
Web Interface Development
# Start development environment (API + Web)
./scripts/dev-start.sh
# Or manually:
# 1. Start development API server
./govpn-dev-api -port 8080 -host 127.0.0.1
# 2. Start web interface
cd web && npm install && npm run dev
Basic VPN Server Usage
# Start server with basic configuration
./govpn-server -config deploy/server.conf
# Start with authentication and obfuscation
./govpn-server -config deploy/server.conf -auth -obfuscation
# Start with API interface
./govpn-server -api -api-port 8080 -api-listen 127.0.0.1
# Start with monitoring enabled
./govpn-server -config deploy/server.conf -monitoring -metrics-port 9100
Production Monitoring and Scaling
Kubernetes Deployment
# Deploy to Kubernetes cluster
kubectl apply -f deploy/kubernetes/namespace.yaml
kubectl apply -f deploy/kubernetes/configmap.yaml
kubectl apply -f deploy/kubernetes/deployment.yaml
kubectl apply -f deploy/kubernetes/service.yaml
# Check deployment status
kubectl get pods -n govpn
kubectl get services -n govpn
Monitoring Setup
# Run monitoring benchmarks
cd pkg/monitoring
go test -bench=. -benchmem
# Start server with monitoring
./govpn-server -config deploy/server.conf \
-monitoring \
-metrics-port 9100 \
-log-format json
Grafana Dashboard Import
# Import ready-made Grafana dashboards
# 1. Access Grafana UI (default: http://localhost:3000)
# 2. Go to Dashboard > Import
# 3. Load from file: docs/monitoring/grafana-dashboard.json
# 4. Configure data source: Prometheus (http://localhost:9090)
Certificates and PKI
Generate server and client certificates:
# Generate CA and server certificates
./scripts/generate_certs.sh
# Or use the built-in certificate generator
go run ./cmd/generate_certs -ca -server -client
Configuration Examples
The project includes 8 ready-made configuration files in deploy/ directory:
- basic.conf - Minimal VPN server setup
- server.conf - Standard server configuration with authentication
- auth.conf - Authentication configuration (local users, passwords)
- mfa.conf - Multi-factor authentication setup
- ldap.conf - LDAP/Active Directory integration
- oidc.conf - OpenID Connect provider integration
- obfuscation.conf - Traffic obfuscation and anti-censorship
- monitoring.conf - Comprehensive monitoring and logging setup
Configuration
Server Configuration
Basic server configuration file structure:
# Basic VPN server settings
port 1194
proto udp
dev tun
# Certificates and encryption
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
cipher AES-256-GCM
# Network settings
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# Client configuration
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Security
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
Authentication Configuration
Configure various authentication methods:
# Local authentication with password file
auth-user-pass-verify /etc/govpn/auth.txt via-file
# LDAP authentication
ldap-enabled true
ldap-server ldap://your-ldap-server.com:389
ldap-bind-dn cn=admin,dc=example,dc=com
ldap-bind-password your-password
ldap-base-dn ou=users,dc=example,dc=com
# Multi-factor authentication
mfa-enabled true
mfa-issuer "GoVPN Server"
mfa-digits 6
mfa-period 30
# OIDC authentication
oidc-enabled true
oidc-issuer https://your-oidc-provider.com
oidc-client-id your-client-id
oidc-client-secret your-client-secret
Obfuscation Configuration
Configure traffic obfuscation to bypass DPI:
# Enable obfuscation
obfuscation-enabled true
# XOR obfuscation
obfuscation-method xor
obfuscation-key mysecretkey123
# TLS tunnel obfuscation
obfuscation-method tls-tunnel
obfuscation-tls-host example.com
# HTTP mimicry
obfuscation-method http-mimicry
obfuscation-http-host www.google.com
# Obfsproxy integration
obfuscation-method obfsproxy
obfuscation-obfsproxy-transport obfs4
API Reference
Authentication
All API endpoints require JWT authentication. Obtain a token by posting credentials to /api/v1/auth/login.
# Login and get token
curl -X POST http://localhost:8080/api/v1/auth/login \
-H "Content-Type: application/json" \
-d '{"username": "admin", "password": "password"}'
# Use token in subsequent requests
curl -H "Authorization: Bearer YOUR_JWT_TOKEN" \
http://localhost:8080/api/v1/status
Endpoints
Server Status
GET /api/v1/status
Returns server status, uptime, and basic statistics.
User Management
# List all users
GET /api/v1/users
# Create new user
POST /api/v1/users
{
"username": "john",
"email": "john@example.com",
"password": "securepassword",
"role": "user"
}
# Get user details
GET /api/v1/users/{id}
# Update user
PATCH /api/v1/users/{id}
{
"email": "newemail@example.com",
"role": "admin"
}
# Delete user
DELETE /api/v1/users/{id}
Active Connections
GET /api/v1/clients
Returns list of currently connected VPN clients.
Certificate Management
# List certificates
GET /api/v1/certificates
# Generate new certificate
POST /api/v1/certificates
{
"common_name": "client1",
"email": "client1@example.com",
"validity_days": 365
}
# Revoke certificate
DELETE /api/v1/certificates/{serial}
Configuration
# Get current configuration
GET /api/v1/config
# Update configuration
PUT /api/v1/config
{
"port": 1194,
"protocol": "udp",
"cipher": "AES-256-GCM"
}
Logs
# Get recent logs
GET /api/v1/logs?limit=100&level=info
Monitoring and Metrics
Prometheus Metrics
GoVPN exposes comprehensive metrics for monitoring:
- Connection metrics: active connections, new connections per second, disconnections
- Performance metrics: CPU usage, memory consumption, goroutine count
- Network metrics: bytes transferred, packets processed, error rates
- Authentication metrics: login attempts, successful/failed authentications
- Obfuscation metrics: obfuscated packets, method distribution
Example metrics endpoint:
curl http://localhost:9100/metrics
Grafana Integration
Import the provided Grafana dashboard for comprehensive monitoring:
- Copy
docs/monitoring/grafana-dashboard.json - Import in Grafana UI
- Configure Prometheus data source
- Monitor server performance, connections, and security events
Log Formats
GoVPN supports multiple log formats:
# JSON format (structured logging)
./govpn-server -log-format json
# Text format (human-readable)
./govpn-server -log-format text
# OpenVPN compatible format
./govpn-server -log-format openvpn
Testing
Unit Tests
Run the complete test suite:
# Run all tests
go test ./...
# Run tests with coverage
go test -cover ./...
# Run benchmarks
go test -bench=. ./pkg/monitoring/
Integration Tests
Test with real VPN scenarios:
# Test authentication system
go test ./pkg/auth/... -v
# Test obfuscation methods
go test ./pkg/obfuscation/... -v
# Test monitoring and metrics
go test ./pkg/monitoring/... -bench=.
Performance Tests
Benchmark critical components:
# Monitor performance benchmarks
cd pkg/monitoring
go test -bench=BenchmarkPerformanceMonitor -benchmem
# Obfuscation performance
cd pkg/obfuscation
go test -bench=BenchmarkObfuscation -benchmem
Production Deployment
Docker Deployment
# Build Docker image
docker build -t govpn:latest .
# Run container
docker run -d \
--name govpn-server \
-p 1194:1194/udp \
-p 8080:8080 \
-v /path/to/config:/etc/govpn \
-v /path/to/certs:/etc/govpn/certs \
govpn:latest
Systemd Service
Create systemd service file /etc/systemd/system/govpn.service:
[Unit]
Description=GoVPN Server
After=network.target
[Service]
Type=simple
User=govpn
WorkingDirectory=/opt/govpn
ExecStart=/opt/govpn/govpn-server -config /etc/govpn/server.conf
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target
Enable and start the service:
sudo systemctl enable govpn
sudo systemctl start govpn
sudo systemctl status govpn
Security Considerations
- Certificate Management: Use strong RSA keys (minimum 2048-bit) or ECC curves
- Network Security: Configure firewall rules, disable unnecessary services
- Authentication: Enable MFA for administrative access
- Monitoring: Set up alerts for failed authentication attempts and unusual traffic patterns
- Updates: Keep the server and dependencies updated regularly
Performance Tuning
- OS Tuning: Increase file descriptor limits, optimize network buffers
- Go Runtime: Set appropriate GOMAXPROCS, garbage collection targets
- Network: Configure optimal MTU sizes, enable hardware offloading
- Monitoring: Use lightweight monitoring configurations to minimize overhead
Troubleshooting
Common Issues
Connection Problems
# Check server status
./govpn-server -status
# Verify certificates
openssl x509 -in server.crt -text -noout
# Test network connectivity
nc -u server-ip 1194
Authentication Issues
# Check authentication logs
tail -f /var/log/govpn/auth.log
# Verify LDAP connectivity
ldapsearch -x -H ldap://your-ldap-server -D "cn=admin,dc=example,dc=com" -W
# Test OIDC configuration
curl https://your-oidc-provider/.well-known/openid_configuration
Performance Issues
# Monitor server performance
curl http://localhost:9100/metrics | grep govpn
# Check system resources
top -p $(pgrep govpn-server)
# Analyze connection patterns
./govpn-server -api -debug
curl http://localhost:8080/api/v1/clients
Log Analysis
Enable detailed logging for troubleshooting:
# Enable debug logging
./govpn-server -config server.conf -log-level debug
# Monitor authentication events
tail -f /var/log/govpn/auth.log | grep "authentication"
# Track connection events
tail -f /var/log/govpn/server.log | grep "client"
Contributing
Development Setup
- Fork the repository
- Clone your fork:
git clone https://github.com/your-username/govpn.git cd govpn - Install dependencies:
go mod download cd web && npm install - Run tests:
go test ./... cd web && npm test
Code Standards
- Go Code: Follow Go conventions, use
gofmt,golint, andgo vet - Web Code: Use ESLint and Prettier configurations
- Comments: Write clear, descriptive comments explaining the purpose
- Tests: Include unit tests for new functionality
- Documentation: Update relevant documentation for changes
Pull Request Process
- Create feature branch:
git checkout -b feature/your-feature-name - Make changes with appropriate tests and documentation
- Run full test suite:
make test - Submit pull request with clear description of changes
- Address review feedback if required
License
This project is licensed under the MIT License - see the LICENSE file for details.
Support
- Documentation: See
docs/directory for detailed guides - Issues: Report bugs and feature requests via GitHub Issues
- Discussions: Use GitHub Discussions for questions and community support
GoVPN - Modern OpenVPN implementation in Go with enhanced security, performance, and management capabilities.
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
client
command
|
|
|
dev-api
command
|
|
|
generate_certs
command
Package main provides a utility for generating test certificates for GoVPN
|
Package main provides a utility for generating test certificates for GoVPN |
|
server
command
|
|
|
pkg
|
|
|
api
Package api provides a REST API for GoVPN server management
|
Package api provides a REST API for GoVPN server management |
|
auth
Package auth provides authentication and security functionality for GoVPN
|
Package auth provides authentication and security functionality for GoVPN |
|
compat
Package compat implements OpenVPN compatibility layer
|
Package compat implements OpenVPN compatibility layer |
|
core
Package core contains VPN server core components
|
Package core contains VPN server core components |
|
server
Package server provides the main server implementation integrating VPN and API
|
Package server provides the main server implementation integrating VPN and API |
|
storage
Package storage provides interfaces and implementations for data persistence
|
Package storage provides interfaces and implementations for data persistence |
|
storage/postgres
Package postgres provides PostgreSQL implementation of the storage interface
|
Package postgres provides PostgreSQL implementation of the storage interface |
Click to show internal directories.
Click to hide internal directories.